Lawful interception (LI) requirements for encrypted services such as enhanced internet protocol (IP) multimedia subsystem (IMS) Media Security are detailed in Section 5.7 of Third Generation Partnership Project (3GPP) Technical Specification (TS) 33.106. In one requirement, interception shall be performed in such a manner as to avoid detectability by the target or others. In another requirement, an encryption solution shall not prohibit commencement of interception and decryption of an existing communication.
In the Multimedia Internet KEYing Ticket (MIKEY-TICKET) key exchange protocol, an initiator user equipment (UE) generates a random number RANDRi which is included as a field in a REQUEST_INIT message (i.e., a ticket request message) sent to a key management service (KMS). Also included in the REQUEST_INIT message is the crypto session identity (CS ID) contained in the common header payload (HDR) field. In one implementation of the MIKEY-TICKET protocol, the KMS returns to the initiator UE a traffic encryption key (TEK) for secure communication with a responder UE. In another implementation of the MIKEY-TICKET protocol, the KMS returns to the initiator UE a generating key that is to be used in the generation of the TEK for secure communication with a responder UE. The generating key is called a TEK generation key (TGK) and may be contained in the key data transport payload (KEMAC) field portion of the REQUEST_RESP message from the KMS to the initiator UE. The RANDRi value together with the CS ID and the TGK are used in some implementations by the initiator UE and by a responder UE to generate the TEK used for ciphering in secure realtime transport protocol (SRTP) communication between the initiator UE and the responder UE.
Keying information such as RANDRi, CS ID, TGK and TEK is discarded by the KMS when replying to the initiator UE. As such, information to regenerate the TEK for lawful interception is discarded by, and becomes unavailable to, the KMS. Therefore, mid-call interception of MIKEY-TICKET TEK based SRTP communications between the initiator UE and the responder UE is currently possible only through re-keying. Unfortunately, re-keying is detectable by both the initiator UE and the responder UE, thereby breaking the lawful interception requirements listed above.